Hi,
Hope you experts can help me with this issue.
I am doing SSO setup on SAP BI 4.1 SP5 on Windows Server 2012 R2. I have followed the process as outlined in the article at http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4.
I am stuck at the Step 9, as I cannot get silent SSO no matter what. I understand lot of people have had this issue and there's been a lot of discussions in the SAP blog about it and I've read all of them.
However, does anyone have a solution for this problem ?
Here are my configurations (with sanitized domain names):
Environment:
Domain Name: XXXXCO (FQDN: CORP.XXXXCO.COM)
BO Service Account: CMS41SVC (password: F4M34!xl )
Domain Controller: VM-DC-GH-01.CORP.XXXXCO.COM
BusinessObjects Server: DEV-BOB-APP-01.CORP.XXXXCO.COM
BusinessObjects AD Group: XXXXCO\DL-Business Objects
krb5.ini file
----------------
[libdefaults]
default_realm = CORP.XXXXCO.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
CORP.XXXXCO.COM = {
kdc = VM-DC-GH-01.CORP.XXXXCO.COM
default_domain = CORP.XXXXCO.COM
}
bscLogin.conf file
---------------------------------
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
BIlaunchpad.properties file
--------------------------------------------
authentication.visible=true
authentication.default=secWinAD
sso.types.and.order=vintela
global.properties file
-------------------------------------
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=CORP.XXXXCO.COM
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
Tomcat added options
-----------------------------------------
...
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
-Dcom.wedgetail.idm.sso.password=F4M34!xl
-Djcsi.kerberos.debug=true
What I've done so far:
-All steps 1-8 verified (as per Josh's article above)
-(NOTE: Under Delegation tab for service account CMS41SVC, turned on ‘Trust this user for delegation to any service (Kerberos only)’.)
-I can get the ticket with kinit CMS41SVC.
-There are no duplicate SPNs.
-I got "commit succeeded" after step 8 and was able to get Manual AD access to the system with AD accounts.
-After application of step 9 I do not get silent SSO and, perhaps not surprisingly, cannot login with AD accounts any more.
I have not performed the keytab steps as this is a showstpper I guess.
What is wrong here ?? !! Any suggestions ?
Some additional questions:
- Does my service account CMS41SVC need to be member of BusinessObjects AD Group: XXXXCO\DL-Business Objects ? In my setup it is not.
- Further, what is the impact of SSO on deployment of Mobile server. If we manage to setup SSO, will it be propagated to Mobile clients ?
- Is there a special process on how to setup Mobile clients for platform with SSO setup ?
- Similarly, impact on SSO on integration with SharePoint ?
- Is there a special process on how to setup SharePoint integration for platform with SSO setup ?
Many thanks for your help in the past and your effort regarding this one.
Regards,
Davor Mitrasevic